Documente Academic
Documente Profesional
Documente Cultură
From
An article on Information Rights Management (IRM) and our methodology for its proper implementation in achieving secure flow of sensitive information within and beyond the organizational boundaries.
Document Tracker
Author
Manasdeep
Version
September 2012
Summary of Changes
Document Created
Confidential
Page 2 of
NOTICE
This document contains information which is the intellectual property of Network Intelligence. This document is received in confidence and its contents cannot be disclosed or copied without the prior written consent of Network Intelligence. Nothing in this document constitutes a guaranty, warranty, or license, expressed or implied. Network Intelligence disclaims all liability for all such guaranties, warranties, and licenses, including but not limited to: Fitness for a particular purpose; merchantability; non infringement of intellectual property or other rights of any third party or of Network Intelligence; indemnity; and all others. The reader is advised that third parties can have intellectual property rights that can be relevant to this document and the technologies discussed herein, and is advised to seek the advice of competent legal counsel, without obligation of Network Intelligence. Network Intelligence retains the right to make changes to this document at any time without notice. Network Intelligence makes no warranty for the use of this document and assumes no responsibility for any errors that can appear in the document nor does it make a commitment to update the information contained herein.
Copyright
Copyright. Network Intelligence (India) Pvt. Ltd. All rights reserved. NII Consulting, AuditPro, Firesec, NX27K is a registered trademark of Network Intelligence India Pvt. Ltd.
Trademarks
Other product and corporate names may be trademarks of other companies and are used only for explanation and to the owners' benefit, without intent to infringe.
NII CONTACT DETAILS Network Intelligence India Pvt. Ltd. 204 Ecospace, Old Nagardas Road, Near Andheri Subway, Andheri (E), Mumbai 400 069, India Tel: +91-22-2839-2628 +91-22-4005-2628 Fax: +91-22-2837-5454 Email: info@niiconsulting.com
Confidential
Page 3 of
Contents
1. 2. 3. 4. 5. 6. a. b. c. d. 7. 8. 9. a. b. c. 10. Introduction .............................................................................................................................. 5 Why do we need IRM? ............................................................................................................... 5 What exactly can be achieved with IRM?[1] ................................................................................ 6 What can't be prevented using IRM? ......................................................................................... 6 Are Digital Rights Management (DRM) and IRM same things?.................................................... 7 Key for IRMs successful implementation[5] ................................................................................ 8 Automating policy assignment ............................................................................................... 8 Dynamic policy control ........................................................................................................... 8 Discretionary policy application ............................................................................................. 8 Audit Trail .............................................................................................................................. 8 Steps before implementing IRM[6] .............................................................................................. 9 Popular IRM vendor list ............................................................................................................. 9 Challenges in IRM implementation .......................................................................................... 10 Lack of commitment by senior management........................................................................ 10 User Unwillingness to change .............................................................................................. 10 Miscellaneous Factors[5] ....................................................................................................... 11 References ........................................................................................................................... 12
Confidential
Page 4 of
1. I NTRODUCTION
Information Rights Management is the set of techniques and methods which protect the highly sensitive information of the organization irrespective of the file location whether it resides "in" or "outside" the corporate boundaries. This happens as the permissions embedded inside the file don't allow unauthorized access, modification, copying or printing. This is typically done for protection of financial documents, intellectual property such as patents, design blueprints and executive communications. IRM[4] broadly speaking addresses the fundamental problem associated with Data Protection Leakage (DLP). DLP heavily relies on protection of sensitive file within the corporate network typically at its end points. It protects the data based on its location (directory, file server/ database) or in data in transit, but doesn't give the protection at a more granular level, i.e. information contained in file itself. IRM currently applies mainly to documents and emails in typical corporate environment setting. While DLP is transmission control technology, IRM is usage control technology.
2. W HY DO WE NEED IRM?
The rationale for using IRM is that the privacy information associated with data must travel along with it. The copying of that data must not lose the associated rights to that information. Rights to modify, update, restrict or even destroy that information must be retained by the individual it pertains to, even when a 3rd party holds that information. In larger context, IRM helps organizations in enforcing corporate policy governing the secure flow of highly sensitive data in the organization. File protections are defined and enforced based on user's identity along with corporate policy on a given class of data. The best way to protect information is to do it directly at the level of the information and not at the level of many system(s) which might change, transport or store the information.
Confidential
Page 5 of
Confidential
Page 6 of
Confidential
Page 7 of
The strength of IRM is typically reserved for very sensitive information that travels outside organization to vendors, suppliers, outsourced parties, partners etc. But challenges for proper authentication are quite complex outside the enterprise. Hence, following approaches must be used for effective implantation of IRM enterprise based solutions:
d. Audit Trail
An audit trail is an unalterable, chronological log of access to a system and a record of additions, changes, and deletions to information that system manages, which lists the person accessing the system, and the time of access, and the action taken.
Confidential
Page 8 of
So you are all rolled up to implement IRM solution in your company. But before that, answer this quick checklist: Outline business areas where sensitive information is frequently exchanged? What needs to be protected (documents, email etc.) How will security policies be enforced to protect this sensitive information or communication? Who can use the information (people, group) What a user can do with that information (read, write, print or forward) When can the user access the information (time duration and dates) Where can the information be accessed from (in office, home,) What would be the consequences to the business if this information ended up in the wrong hands? Does the organization retain any employee, customer, or member information that could be used in identity theft if it were exposed, either through loss or theft.
Confidential
Page 9 of
Confidential
Page 10 of
c. Miscellaneous Factors [ 5 ]
External User Authentication for partners, vendors, suppliers, outsourced parties, must be strong enough and well formed. Any loose ends will damage the confidentiality of the information. Most IRM's like Microsofts Windows Rights Management Services are great for Windows and Office. But they are mainly for Microsoft apps. For apps like in CAD or blueprints, other solutions are either from small vendors or very limited in scope.
Confidential
Page 11 of
10. R EFERENCES
1. http://www.iotap.com/Blog/tabid/673/entryid/61/Information-RightsManagement-Sharepoint-2010.aspx 2. http://en.wikipedia.org/wiki/Information_Rights_Management 3. http://blogs.kuppingercole.com/kuppinger/category/information-rightsmanagement/ 4. http://covertix.blogspot.in/ 5. http://www.rcpbuyersguide.com/dload.php?file=whitepapers/SponsorIndex_E MC_Whitepaper11534369.pdf 6. http://www.niiconsulting.com/solutions/information_rights_management.html
Confidential
Page 12 of